CMMC

“Highly professional, met all deadlines, responsive to all questions, excellent knowledge of the CMMC model as it stands as well as keeping up to date with changes.  Sawdey has been a great company to work with, we are very happy with our selection of your company to help guide us to CMMC compliance.”

– T.J. McCambridge, Quality Manager, Black Diamond Engineered Products, Inc.

“Sawdey has been excellent in following-up and has gone above and beyond in helping us find solutions to issues.”

– Beth Robb, Project Manager, Liona Enterprises, Inc.

“Very good communication and work products.  Accomplished what we set out to do.”

– Doug Barber, Founding Principal/COO/Executive Vice President/FSO/ITPSO, BB&E, Inc.

One eye-opening finding of the pre-assessment came when comparing it to an assessment performed internally.  Certain cybersecurity requirements were more nuanced than originally perceived, which of course translates to vulnerabilities and a lower SPRS score.  Sawdey Solution Services made it easy to identify the CMMC shortcomings and provided a roadmap to compliance.”

– Garrett Sargent, Founder, PSOAS LLC

Our confidence in your [Sawdey’s] understanding of the standard was high.  We appreciate your [Sawdey’s] understanding of our situation as a very small business trying to gain this certification.”

– John Noel, Vice President, Noel-Smyser Engineering Corporation 

CMMC Certification Preparation for DoD Contractors

What is CMMC?

  • The Department of Defense (DOD) Cybersecurity Maturity Model Certification (CMMC) is a unified cybersecurity standard designed to ensure protection of information in future DOD acquisitions as it is critical to maintaining national security.
  • It is intended to protect and prevent unauthorized access to Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within the DOD supply chain and Defense Industrial Base (DIB).
  • The CMMC Program will assess and verify the institutionalization and maturity of cybersecurity practices and processes of DOD contractors via a third-party assessment.

How does my company obtain/achieve a CMMC level certification?

  • Companies will coordinate directly with a certified independent CMMC Third-Party Assessment Organization (C3PAO) to request and schedule a CMMC assessment.
  • Once the assessment process is finalized, upon successful demonstration of the appropriate capabilities and organizational maturity, the organization will receive the corresponding CMMC level certification.
    • Certifications are expected to be valid for 3 years.

How is the CMMC Model organized?

  • The CMMC Model framework organizes processes and cybersecurity best practices into a set of domains; CMMC Model v1.02 encompasses:
    • 43 capabilities across 17 capability domains
    • 5 processes across 5 levels to measure process maturity
      • Processes range from Level 1 (Performed) up to Level 5 (Optimized) across the organization (see Figure 1).
    • 171 practices across 5 levels to measure technical capabilities
      • Practices range from Level 1 (Basic Cyber Hygiene) to Level 5 (Advanced/Progressive) (see Figure 1).
  • In order to meet a specific CMMC level, an organization must meet the practices and processes within that level as well as those below it.
  • Once implemented, offerors will be required to hold a CMMC certificate at a specified level or higher to be eligible for award on DOD solicitations.

Figure 1. Capabilities assessed for practice and process maturity. Practices: level 5 – Advanced / Progressive, Level 4 – Proactive, Level 2 – Good Cyber Hygiene, Level 2 Intermediate Hygiene, Level 1 – Basic Cyber Hygiene. Processes: Level 5 – Optimized, Level 4 – Reviewed, Level 3 – Managed, Level 2 – Documented, Level 1 – Performed.

Who will be impacted by CMMC?

  • All prime contractors and subcontractors doing business with the DOD; this includes IT service providers, accountants, consultants, landscapers, janitorial services, et al.

What is the timeframe for CMMC?

  • CMMC requirements will begin to appear in DOD solicitations in FY 2021; an estimated 300,000+ DOD contractors will be affected.
  • The DOD issued an interim rule effective November 30, 2020, which updates the Defense Federal Acquisition Regulation Supplement (DFARS) to implement the assessment methodology and CMMC framework for DOD procurements as well as adding a new requirement for cybersecurity assessment under the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 framework.
    • Under the proposed rule, contracting officers must verify that an offeror has a current NIST SP 800-171 (110 controls) DOD Assessment on record, prior to contract award, for applicable solicitations.
    • Assessment scores must be posted in the Supplier Performance Risk System (SPRS).
  • CMMC requirements are expected to be fully implemented in DOD contracts in FY 2026.

How is Sawdey well-positioned to help your organization prepare for CMMC?

  • We have a dedicated team of cybersecurity experts actively reviewing all CMMC developments.
  • We are a Capability Maturity Model Integration for Services® (CMMI-SRV) Maturity Level 3 (ML3)-appraised company following International Organization for Standardization (ISO) 9001 certified processes.
    • Our experience in obtaining our CMMI and ISO certifications has provided firsthand knowledge and experience that is incredibly valuable in helping other companies obtain their CMMC certification.
  • We have been selected by a major university as a partner responsible for educating suppliers on the CMMC Standard and requirements within the state of Ohio.
    • Through this partnership, we provide cybersecurity subject matter expertise in support of content development, delivery of seminars, working groups, and roundtable discussions.

Specifically, what CMMC services can Sawdey provide your organization?

  • Identification of the needed CMMC level based on current DOD work, CUI being handled, and existing contract clauses.
  • Pre-Assessment Gap Analysis – a comprehensive pre-assessment of your organization’s cybersecurity posture, identifying any deficiencies per the current NIST Standards, CMMC Standard, and DFARS cybersecurity requirements.
  • Risk Mitigation Strategies – strategies to eliminate or reduce cybersecurity risks.
  • Documentation/Deliverables – including, but not limited to, System Security Plan (SSP), Plan of Action and Milestones (POA&M), policies and plans, etc.
  • Quality Analysis – additional assessment(s) to evaluate progress and address any outstanding POA&Ms.
  • Education – initial and continuous guidance as DOD cybersecurity standards and policies evolve.

Pass Your Upcoming CMMC Assessment with Confidence

Sawdey is helping DOD suppliers throughout the U.S. navigate the complexities of CMMC. To gain a competitive advantage in these evolving times, consider being proactive in taking the first step in preparation for your CMMC Assessment. With us, you can achieve a high-quality pre-assessment of your current cybersecurity posture and learn how best to obtain your desired CMMC level in conjunction with your current and future business objectives.

CMMC Webinar Clips: